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Background 


Network  traffic  monitoring  is  important. 
Storage  is  important. 

Analysis  is  important. 


□  □  □□ 


Storage 
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□  □  Days 

□  □  Day  2 

D  D  Day  1 


The  Problem 


“Collect  everything  mentality”  is  not  effective. 

•  Network  data  typically  rolls  off  before  it  becomes 
useful  to  analysts 

•  Some  data  collected  has  little  to  no  value  ever. 

•  Too  much  data  inhibits  analysis. 

•  Storage  can  become  expensive. 

When  you  can’t  keep  everything,  what  do  you  do? 
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The  Solution 


A  methodology  to  help  organizations  to  collect 

•  the  right  network  information 

•  at  the  right  tiers 

•  for  the  right  amount  of  time 

Smart  Collection  and  Storage  Method  for  Network 

Traffic  Data 

Available  online  in  the  SEI  Digital  Library 

http://resources.sei. emu. edu/library/asset-view.cfm?assetid=304860 
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O/  Investigate  Attacks 

✓  Enforce  Policies 

✓  Provide  Information  to  Create  Policies 
✓  Profile  Network  Traffic 
✓  Plan  for  Network  Upgrades 
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✓  Scanning 

✓  Indexing 

✓  Malware  Drop 

✓  C2/Backdoor  Comms 

✓  Worm  Propagation 


✓  System  Control 
s  Exfiltration 

✓  Data  Corruption 

✓  DoS/D  DoS  Floods 
s  DoS/DDoS  Crashes 
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+  Scanning  •/  System  Control  #5 

v;  Indexing  ✓  Exfiltration  #2 

✓  Malware  Drop  #1  ✓  Data  Corruption  #6 

✓  C2/Backdoor  Comms  #3  ✓  DoS/DDoS  Floods'* 

✓  Worm  Propagation  ✓  DoS/DDoS  Crashes 
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Scanning 

Indexing 

Malware 

C2/Backdoor  Cd 

Worm  Propagation 
System  Control 
Exfiltration  # 

Data  Corruption  #6 
DoS/DDoS  Floods  #8 
DoS/DDoS  Crashes  #7 
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TCP:  Encrypted 
TCP:  HTTP 

TCP:  Remote  Connections 
TCP:  Email 
TCP:  File  Copy 
TCP:  VoIP 
TCP:  All  other  TCP 
DP:  Encypted 
UDP:  DNS 

UDP:  Remote  Connections 
UDP:  VoIP 
UDP:  All  other  UDP 
ICMP 
Other 
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TCP:  Encrypted  3  weeks 
TCP:  HTTP  6  months 
TCP:  Remote  Connections 
TCP:  Email  2  years 
TCP:  File  Copy 
TCP:  VoIP 
TCP:  All  other  TCP 


UDP:  Encrypted  3  weeks 
UDP:  DNS  6  months 
UDP:  Remote  Connections 
UDP:  VoIP 
UDP:  All  other  UDP 
ICMP 
Other 


S  M  T  W  T  F  S 
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Application  of  the  Methodology 


Current  Storage  X  (  (1  +  Growth  Rate)Mont/ls 


ending  value  \(#  months) 


' starting  value' 


-  1 
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Questions? 


Angela  Horneman 
ahorneman@cert.org 

Nathan  Dell 
nathand@cert.org 
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